commit 0abf07ca2c559c5193b6d8438fe74e4eb8f458a2
author Ronald Cron <ronald.cron@arm.com> Wed Dec 08 15:26:59 2021 +0100
committer Ronald Cron <ronald.cron@arm.com> Fri Dec 10 13:22:21 2021 +0100
tree fed6d34e605193d8c3380283d8fa49ea58b38254
parent 76a2b306ac9d175650c8d784d468f0dc0b04e8f3

Make PSA crypto mandatory for TLS 1.3

As we want to move to PSA for cryptographic operations
let's mandate PSA crypto from the start.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>

docs/use-psa-crypto.md

diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index 6ec2dca..4a78e47 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md
@@ -12,9 +12,8 @@
 `MBEDTLS_ECP_RESTARTABLE` and
 `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER` to be disabled.
 
-Effect: `MBEDTLS_USE_PSA_CRYPTO` currently has no effect on TLS 1.3 (which is
-itself experimental and only partially supported so far): TLS 1.3 always uses
-the legacy APIs even when this option is set.
+Effect: `MBEDTLS_USE_PSA_CRYPTO` has no effect on TLS 1.3 for which PSA
+cryptography is mandatory.
 
 Stability: any API that's only available when `MBEDTLS_USE_PSA_CRYPTO` is
 defined is considered experimental and may change in incompatible ways at any
@@ -157,11 +156,6 @@
 
 This is only a high-level overview, grouped by theme
 
-TLS: 1.3 experimental support
------------------------------
-
-No part of the experimental support for TLS 1.3 is covered at the moment.
-
 TLS: key exchanges / asymmetric crypto
 --------------------------------------
 

include/mbedtls/check_config.h

diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 84afcf0..ded871f 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -598,8 +598,10 @@
 #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \
-    !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \
+    ( ( !defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_SHA256_C) && \
+        !defined(MBEDTLS_SHA512_C) ) \
+      || ( !defined(MBEDTLS_PSA_CRYPTO_C) ) )
 #error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites"
 #endif
 

tests/scripts/all.sh

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index eb67a71..08d3e65 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1531,6 +1531,7 @@
     scripts/config.py set MBEDTLS_ECP_RESTARTABLE  # not using PSA, so enable restartable ECC
     scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
     scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
     scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
     scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C